Method for carrying out monitoring in packet-oriented telecommunication and data networks

ABSTRACT

The invention relates to a method for carrying out monitoring in packet-oriented telecommunication networks and data networks. The inventive method makes it possible to reduce the processor performance required to carry out legal monitoring of telecommunication subscribers in switching nodes of packet-oriented telecommunication and data networks. The basic problem is the high number of comparably short data packets which must be respectively compared with the full list of subscriber connections which are to be monitored throughout the network and the computer power resulting therefrom required to carry out said tasks in each network node. The inventive method is based on a reduced individual node list which is automatically generated and maintained and the number of individual verifications is kept to a minimum within a network node.

[0001] The invention relates to a method for carrying out monitoring in packet-oriented telecommunication and data networks.

[0002] The fundamental procedure for carrying out subscriber monitoring in telecommunication networks is described in ETSI GSM 03.33 (Tdoc SMG10 98 D047). In the Federal Republic of Germany, telecommunication services are monitored in line with the applicable legal provisions.

[0003] Packet-oriented telecommunication networks are cellular mobile radio networks based on the GSM standard using GPRS transmission methods (ETSI 03.60), for example. In contrast to line-conducted services, in this case the individual data packets are transmitted individually in the network using the TCP/IP protocol (in line with Internet Engineering Task Force IETF standard RFC 793/RFC 791), which means that the usual association between data transmission channel and communication subscriber does not exist.

[0004] The same method is applied on the public Internet. The same problems arise there.

[0005] When carrying out legal monitoring, particular problems are encountered with this type of transmission. The transmission channels are used by a large number of different customers with relatively short data packets in each case.

[0006] When monitoring is carried out, all data packets therefore need to be compared with a list of the subscribers which are to be actively monitored in order to filter out (to copy) those packets which can be attributed to the subscribers to be monitored in the transmission or reception direction.

[0007] Accordingly, the technical complexity rises as the bandwidth increases (more packets per unit time) and as the number of monitoring instances rises (longer list needing to be verified for each packet).

[0008] The components involved in switching (switching nodes, routers, gateways etc.) are equipped with microprocessor systems and their switching power is impaired quite considerably by the technical monitoring tasks. This is reflected in the costs because, as the monitoring tasks increase, more and also more powerful components need to be installed than would be the case for the pure switching tasks.

[0009] Since the monitoring tasks are among the legal requirements, these services have to be provided by the network operators, who need to bear the financial costs themselves.

[0010] It would therefore be of great commercial advantage if the processor complexity which needs to be provided for the legal monitoring tasks (Lawful Interception) could be reduced.

[0011] The present invention is based on the object of proposing a method which can be taken as a basis for reducing the computation complexity (processors, memory, systems) required for carrying out the legal monitoring for communication subscribers in packet-oriented telecommunication and data networks, so as to save hardware and investment.

[0012] This object is achieved by the characterizing features of patent claim 1.

[0013] The invention is described below using one possible embodiment with the example of the GPRS service in the GSM network in a schematic illustration of an exemplary embodiment with reference to the drawings. The drawings and their description reveal further features and advantages of the invention.

[0014]FIG. 1 shows the general procedure for monitoring subscriber lines in the mobile radio sector (ETSI GSM 03.33) in line with the prior art.

[0015] The monitoring is administered in the ADMF. The ADMF maintains, in particular, a list of the subscribers (subscriber call numbers) which are currently each subject to the measure. These subscriber data are transmitted to the network nodes in the form of the call numbers (in the GSM network, the IMSI or MSISDN), with each network node receiving all the call numbers as desired, since the administrator cannot continue data maintenance on the basis of the movement profile for the terminals in the network.

[0016] For data nodes, this can result in the performance problems described.

[0017] As an alternative to the IMSI/MSISDN, other data networks, for example the Internet, can involve the use of other subscriber identifiers, such as the TCP address (optionally in combination with the IP port number).

[0018]FIG. 2 shows an inventive procedure for eliminating the drawbacks. The central ADMF contains the total list of all active monitoring in the network (Interception Subscriber Network List ISNWL). These data are delivered cohesively or alternatively as single data items to the switching node (Network Node NN) in the packet data network. In this case, an optional filter function (Network Management Function NMF) is used to reduce the scope of the list. The NMF is preferably part of the NN, or a dedicated device which is responsible for a plurality of NNs. It is connected to the network node and, if required, to other network devices, such as the Home Location Register (HLR), in order to detect criteria for automatically reducing the list.

[0019] One suitable criterion exists, by way of example, if the customer in question cannot use the service provided in the NN on account of his technical equipment (no data terminal or the like) or on account of the contractual situation (no authorization to use data services), on account of the traffic relations (currently no data traffic/no context) or other criteria. Another reason can exist if the customer is currently visiting another network area, which means that his data traffic is not relevant to the present network node.

[0020] These and similar parameters can be used to reduce the ISNLW. The remaining data are stored as an Interception Subscriber Node List (ISNL) in the network node in the form of a database or in the form of a memory table and are respectively updated on the basis of the current level of the ISNWL and optionally other network information in the course of processing in the NMF.

[0021] The scope of the remaining list can still be very long, particularly if the optional NMF is not available. In this regard, an alternative or additional reduction method is used (Interception Node Sublist INS).

[0022] The list is created using the filter function (Sublist Management Function SMF) from the ISNL or alternatively from the ISNLW.

[0023] The criteria for the second reduction stage are provided by statistics and by the performance level of the node in question. The ISNWL applies nationwide/networkwide. From a statistical point of view, only that number of subscribers which can be ascertained by the number of similar nodes in the network can be affected within a single switching node.

[0024] A further boundary is provided by the computer capacity in the network node.

[0025] In addition to this there is the statistical circumstance that the number of instances of interception is small in comparison with the total number of subscribers. That is to say that the likelihood of a data packet actually needing to be doubled is very low.

[0026] This in turn means that, for each data packet, there is a high likelihood of the total list needing to be processed, since the likelihood of the relevant packet's addressee actually being stored in the list is very low. If all passing packets each need to have their addresses compared with the full networkwide interception list, this can require the full computation power, which means that it is no longer possible to transmit any kind of packet within the timeout values which are to be observed at the protocol end, and hence the traffic collapses. Accordingly, the list is reduced to a sensible level of entries in a second stage and is continually kept up to date.

[0027] Arriving data packets are subsequently now compared with the reduced list (in this case the INS) only in the address part. If the addressee in question is listed in the INS, the data need to be copied, and if this is not the case, it can be assumed with a very high degree of likelihood that the data packet is not one which needs to be monitored.

[0028] List of Abbreviations:

[0029] ADMF Administration Function (Legal Interception Control Center)

[0030] LEA Law Enforcement Agency (interested party)

[0031] DF2 Delivery Function 2 (Interception Related Information)

[0032] DF3 Delivery Function 3 (Interception Data Product)

[0033] NN Network Node

[0034] X Interface

[0035] ISNWL Interception Subscriber Network List

[0036] ISNL Interception Subscriber Node List

[0037] INS Interception Node Sublist

[0038] NMF Node Management Function

[0039] SMF Sublist Management Function

[0040] HLR Home Location Register 

1. A method for carrying out monitoring in packet-oriented telecommunication and data networks, characterized in that a central administration device manages all subscriber lines (subscribers) which are to be monitored and, regardless of the service-specific use authorization for the individual subscriber line, of the technical opportunity to use the terminals, the geographical sense and further properties which are relevant to network nodes or to subscribers, all existing instances of monitoring are distributed, independently of network node, to all packet-data nodes in a telecommunication or data network, which means that the central administration complexity can be minimized, the networkwide standard monitoring list (ISNWL) being respectively reduced to an individual list (ISNL) for specific network nodes by virtue of monitoring subscribers which cannot communicate in the network node in question at the present time being automatically deleted from the list, and a further reduction, or an alternative reduction, to give a minimized individual list of subscribers which are to be observed (INS) being made by taking into account the maximum statistical traffic relations within the network node in comparison with the number of similar network nodes in the whole network and the maximum node performance, and the reduced node-specific list minimizing the processing complexity for the address comparison between each data packet which is to be conveyed and the monitoring list.
 2. The method as claimed in claim 1, characterized in that a network-node-specific reduction in the central monitoring list can be attained using a node-specific filter function NMF, the filter device being connected to network-node-specific databases or call-processing tables and/or to the relevant network devices (Customer Care & Billing Center, Home Location Register, Service Database or the like) for the purpose of automatically detecting such subscribers on the central list as cannot currently produce any traffic at all in the network node in question for contractual, technical, geographical, lack of current context or other reasons, and can therefore be deleted from the list on a network-node-specific basis without loss of security.
 3. The method as claimed in claim 1, characterized in that a further optional reduction of entries on the central ISNWL list, or the list which has already been reduced on the basis of individual nodes (ISNL), can be achieved by virtue of a filter function (SMF) taking into account the statistical circumstances in the network (number of similar nodes) and the performance capability of the node in question (only a particular number of address comparisons implementable per packet) such that a remaining node-specific interception list (INS) is produced which is used to verify each data packet which passes. The likelihood of a packet which is to be observed not being detected is extremely low in this case.
 4. The method as claimed in claims 1 to 3, characterized in that the presence of a network-node-specific list INS which has been produced as a result of the selection of subscribers which have an active traffic relationship (active data context) in instances when additional subscribers are likewise setting up an active traffic relationship (GPRS in line with ETSI 03.60, for example GPRS Attach and PDP Context Activation) involves these instances of activation being compared with the standard monitoring list (ISNWL), since these subscribers cannot, by definition, yet be present in the reduced list at the time of activation, and the activation activity likewise needs to be observed, however. This functionality has no time criticality, however, since it occurs less frequently than data packets and can additionally be subject to a time delay.
 5. The method as claimed in claims 1 to 4, characterized in that the filter functions are continually in operation so that ultimately the node-related list ISNL or INS is always up to date. 